Perform Desktop Lockdown using Microsoft SCCM and PolicyPak

Microsoft SCCM enables you to deploy your applications. You love it. You live it in. You need it !

But SCCM is missing the “last mile” (sorry, SCCM.) SCCM cannot manage the settings within the application. SCCM cannot manage the user interface of the application. SCCM cannot lock down the application.

True: You can “bake in” your suggested settings into your applications. But 10 seconds after you deploy the application to your collections, your users just work around your settings and make their desktops (and your whole company) less secure.

Don’t panic! PolicyPak prevents users from manipulating important settings, but also quietly reapplies misconfigured settings if a user or application happens to work around them.

Watch this video to see how you can use SCCM with PolicyPak to ensure that users’ applicationsare automatically deployed, remediated and fully locked down with the IT and business settings they need to have:

Hi. This is Jeremy Moskowitz, Microsoft MVP and Founder of PolicyPak Software. In this video, we’re going to learn how to utilize PolicyPak alongside Microsoft SCCM.

To set the stage, the big problem that you have right now is you’re using SCCM to deploy your current software, but you’re really not doing anything with SCCM to manage and lock down your software.

We have a white paper on your website which is under the “Solutions” area. It’s called “Why SCCM Admins Need PolicyPak.” I would definitely encourage you to go ahead and download that.

For now as a very brief demonstration, in “Adobe Reader” if I was a regular user and go to “Edit/Preferences…,” I can do all sorts of things that you definitely don’t want me to do. You don’t want me to have this checkbox checked. That makes me less secure. You don’t want to enable me to uncheck these checkboxes. That also makes me less secure. I can just say, “OK.” You don’t want me to be tempted by these “Updater” things and click “OK” and get prompted with UAC prompts. You don’t want these things.

For applications like “Mozilla Firefox,” in this example this is an App-V application which you could have deployed using SCCM if you were so inclined. Then how do you set the important configuration “Options…” like your “Home Page” and make sure that users don’t work around your important “Security” settings? How are you going to do that?

The same thing, and lastly, with say “WinZip” here. I’m just using these as three little examples. How can you make sure that users won’t somehow work around your important configuration settings? That’s the stage. That’s what we’re going to do using PolicyPak delivered by SCCM.

Now in lots of other videos on our website, you’ll see PolicyPak integrated directly with Group Policy, and that’s what I’ve got here. I’ve got lots of GPOs and I’ve got an OU structure and I’m deploying Group Policy Objects and therefore I’m deploying PolicyPak that way.

Remember, this video is all about SCCM, so there is no Group Policy involved. So I’ll just close the Group Policy console altogether. The good news is we ship with a free utility to help SCCM admins called the “PolicyPak Exporter” utility. The PolicyPak Exporter utility enables you to create an MSI file from PolicyPak files that you can then deploy using SCCM.

Let me go ahead and “Create New XML data File…” here. These are the Paks that I happen to have on this machine. PolicyPak ships with over 50 and more preconfigured Paks for popular applications like Firefox, Flash, Foxit Reader, Lync, Office, Skype, Shockwave, Java. It just goes on and on and on. If you’ve got an application, we probably have a Pak for it, and you can create your own Paks.

Just for starters, let’s go to “Adobe Reader X” here. We’ll go ahead and do that one first. You can see that this looks pretty much exactly like the app. Let’s go right over to “JavaScript.” You don’t want this checkmark checked on the target machines. Let’s uncheck it and right click over it and use the PolicyPak superpower of “Disable corresponding control in target application.” We’ll go ahead and click on that.

We’ll go over to “Security (Enhanced).” We want to ensure that is checked, so we’re delivering a checkmark there. We’ll right click over it again and also “Disable corresponding control in target application.” Again, just because you’re deploying the application, there’s really no way for you to manage the application settings and ensure that users can’t work around it, so we’ll disable the corresponding control.

We’ll go over to “Updater” and we’ll once again “Do not download or install updates automatically.” We’ll make sure that users don’t get those annoying popups and ensure that you are the guy or the gal who is going to be deploying the updates for the user and them not getting prompted. We’ll go ahead and once again “Disable corresponding control in target application.”

We’ll go ahead and we’ll do something similar for “Mozilla Firefox” here. You saw that Firefox was an App-V application which could have been deployed by SCCM or it could have been prebaked into the machine. That’s fine. Let’s go ahead and set the “Home Page” to “www.policypak.com.” There we go. We’ll make sure that those “Security” checkboxes are ensured and checked on. We’ll do that.

Lastly while we’re here, we’ll go and pick “WinZip 14 and 15.” We’ll go ahead and pick WinZip here. We’ll go ahead and go to “Passwords.” We’ll check all four of these checkboxes in Passwords. We’ll go ahead and “Hide corresponding control in target application.” This is going to remove the UI entirely. We’ll go ahead and “Disable corresponding control in target application” here for this last checkbox. We’ll set the “Minimum password length” to “11.” We’ll also go ahead and “Disable corresponding control in target application.” We’ll go ahead and we’ll lock that guy down.

Under “Cameras,” we’ll also right click and “Disable whole tab in target application.” We’re setting all these settings, ready to go. We’re locked and loaded. These are three applications; we’re almost there.

Now you can see what we’re doing is we’re installing it for the “Computer” side. You don’t have to do that. If you wanted to for the “Mozilla Firefox” edict, you don’t have to deploy it to every user on the computer. You could deploy it to specific “Users & Groups.”

Let’s click on the “Users” and let’s “Add Users…” in. You could add in “westsalesuser2.” You could do that. You could add in a group if you wanted to. I’ll just pick “guests” which I know is a little silly, but I’ll go ahead and click it anyway.

The point is you could use local, built in or Active Directory groups or users and specify exactly who on a particular machine will get these particular settings. Let me say that again. For instance in this example, “Adobe Reader X,” “All Users” are going to get it because we’re deploying on the “Computer” side. On “Mozilla Firefox,” we’re dictating very specifically which users and which groups are going to get this configuration settings, which is for Firefox.

That’s it. It’s just that easy. Now you’ve got your PolicyPak Paks. You’ve got them integrated here into the PolicyPak Exporter utility. All we’re going to do now is we’re going to save this out as an MSI file. This gives you ultimate flexibility on what you want to do.

Let’s go ahead. I’ll save this out under “c:share.” I’ll call this “PolicyPak-Exports-Demo1.” So here it is, “PolicyPak-Exports-Demo1.” It’s just hanging out on this particular server, and we’re ready to go.

All we’re going to do for the location here is we’re going to pick where the MSI Pak we just created lives, which is “\dcshare.” There it is, “PolicyPak-Exports-Demo1.” We’ll go ahead and click “Next.” It says that it’s not verified. It’s not digitally signed, but you just created it yourself and you know what’s in there. That’s it. You’re ready to go.

Let’s go ahead and click “Next” here. You can see all we do is we run “msiexec/I” against the MSI file you create. Instead of installing for user, let’s “Install for system.” Go ahead and click “Next” and click “Next.” That’s it.

Last but not least, let’s go ahead and click over the application and let us go to “Deploy” this. Let’s make sure it gets over to our collection. I’m going to select my collection of “West Sales Client Computers.” I only have one in there. We’ll distribute the content. We’ll go ahead and pick our “Distribution Point.” We’ll pick our “SCCM” guy right there.

We want to “Install” and make it “Required.” We’ll “Deploy automatically according to schedule whether or not a user is logged on.” That’s totally great. We’ll go ahead and say “Next.” We’re OK with all that. Excellent, excellent. That’s it.

Now just to prove I’m pulling a fast one on you here, let me go over to my target machine and show you that my applications are still not locked down. We’re still at this place where a user can do things that they shouldn’t be doing. A user can still do mean, nasty things.

I’ll show you “Mozilla Firefox” one last time. Again, Firefox is an App-V style application. You can see that even though we’re using an older version, our Firefox Pak works for all versions Firefox 3 and later, actually.

Long story short, you can see that it hasn’t kicked in yet. What I’m going to do is I’m going to pause the video. I’m going to make the SCCM client do its thing, install the MSI file you just created. We’ll come back after, and we’ll see the magic happen.

OK, we’re back. Let’s go ahead and see what happened here. This is the SCCM Software Center here. Let’s go ahead and “Open Software Center.” Here’s our “Packaged PolicyPak Settings.” Again, this is just that simple MSI file that we created using the PolicyPak directives. You can see that it in fact is installed. That’s it. It’s less than a megabyte.

We’ll go ahead and close that. No funny business here. Let’s just go ahead and run each application one-by-one. “Adobe Reader X,” when we run that we go to “Edit/Preferences….”There we go. For “JavaScript,” you can see that we’ve unchecked this checkbox, making the machine more secure. It’s grayed out so the user can’t possibly work around our settings.

We go to “Security (Enhanced).” We’ve delivered the checkmark, and therefore we are more secure and the user can’t work around our settings. “Updater” we’ve now delivered “Do not download or install updates automatically” and once again ensured that users can’t work around the settings.

Let’s go ahead and take a look at the other applications, like say “WinZip” by way of example here. If we go to “Options/Configuration…” and go to “Passwords,” you can see all four of our checkmarks are checked. This one is completely removed. That one is grayed out. This “Minimum password length” is set to “11” and is unworkaroundable.

Same thing with “Cameras.” Cameras is a tab that we’ve specified as completely disabled, and the user can’t work around that either. Last but not least, let’s go over to “Mozilla Firefox.” Remember, Firefox was an App-V app. You can see here that it’s running using “Microsoft Application Virtualization.”

As soon as that runs, it launches and PolicyPak, if we go to “Tools/Options…,” you can see sets the “Home Page.” It’s not Internet connected right now, but the homepage is set, as is the “Security” checkboxes.

If we uncheck these checkboxes and click “OK” and go to rerun the app, well again PolicyPak is always working. If the user is online or offline, PolicyPak is constantly redelivering those settings so that even if a user does find a way to work around it, we re-guarantee those settings online or offline.

I highly recommend and encourage you to download the “Why SCCM Admins Need PolicyPak” white paper off of our website. Hopefully, this video gives you some insight about how you can use them better together.

With that in mind, if you’d like to try this out for yourself, we’d encourage you to try us out. Just go ahead and reach out. We’ll look forward to seeing you on a webinar soon and trying it out right after that.